-
Notifications
You must be signed in to change notification settings - Fork 5.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade github.com/go-kit/kit
package to fix CVE-2022-24450
vulnerability
#5121
Conversation
Kudos, SonarCloud Quality Gate passed! |
Thanks for creating this pull request! I definitely see the value in having this feature and can understand why you would need it as well. Let's see if we can get some feedback from the rest of the team and work towards getting this implemented. Great work! |
Dear A7103, Thank you so much for creating this pull request to upgrade the github.com/go-kit/kit package. Your efforts to address the vulnerabilities in the previous version are greatly appreciated. We are grateful for your hard work and dedication to improving the security of our project. Thank you again for your contribution! |
Codecov Report
@@ Coverage Diff @@
## develop #5121 +/- ##
===========================================
- Coverage 54.83% 54.76% -0.07%
===========================================
Files 246 246
Lines 21896 21896
===========================================
- Hits 12006 11991 -15
- Misses 8938 8949 +11
- Partials 952 956 +4
📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
github.com/go-kit/kit
packagegit.luolix.top/go-kit/kit
package to fix CVE-2022-24450
vulnerabilities
@flycash This is a |
github.com/go-kit/kit
package to fix CVE-2022-24450
vulnerabilitiesgit.luolix.top/go-kit/kit
package to fix CVE-2022-24450
vulnerability
done. And if you remember, can help to raise a new MR to upgrade the version to stable version. |
I mean, the kit version |
@flycash Thank you!
I tried it before, but I found someone asked the author for a similar question in go-kit/kit#843 (comment) , It seems that he/she is reluctant to release a new version but wants to let the downstream control itself |
Another possibility of the author does not release a new version is go-kit/kit#1223 , but it still causes vulnerability warnings for projects that depend on beego, so I think it is still necessary to upgrade it |
Now
beego
usedgit.luolix.top/go-kit/kit v0.10.0
version is contained a vulnerabilities CVE-2022-24450This PR is to upgrade
github.com/go-kit/kit
package to the newest version to fix it.NOTE:
github.com/go-kit/kit
's last release versionv0.12.0
still contains the vulnerability, but the master branch has fixed it (go-kit/kit#1237), so I usego get -v -u github.com/go-kit/kit@master
command to upgrade it. (Thev0.12.0
is released in 2021)